DIGIPASS Authentication for VMware Horizon Workspace · DIGIPASS Authentication for VMware Horizon...

DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE

1 DIGIPASS Authentication for VMware Horizon Workspace


Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no

responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any

use of the information contained in this document.

Copyright

Copyright © 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All

rights reserved. VASCO®, Vacman®, IDENTIKEY AUTHENTICATION ®, aXsGUARD™ and

DIGIPASS® logo are registered or unregistered trademarks of VASCO Data Security, Inc.

and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data

Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under al l

title, rights and interest in VASCO Products, updates and upgrades thereof, including

copyrights, patent rights, trade secret rights, mask work rights, database rights and all other

intellectual and industrial property rights in the U.S. and other countries. Microsoft and

Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may

be trademarks of their respective owners.



Table of Contents

1 Overview................................................................................................................... 4

2 Technical Concepts ................................................................................................... 5

2.1 VMware................................................................................................................ 5

2.1.1 Horizon Workspace .......................................................................................... 5

2.2 VASCO ................................................................................................................. 5

2.2.1 IDENTIKEY Federation Server ........................................................................... 5

2.2.2 IDENTIKEY Authentication Server ...................................................................... 5

3 Configuration Details ................................................................................................ 7

3.1 Architecture .......................................................................................................... 7

3.2 Pre-requisites ....................................................................................................... 7

3.3 IDENTIKEY Federation Server ................................................................................. 7

3.3.1 Add application ............................................................................................... 7

3.3.2 Adapt Meta-Data ............................................................................................. 8

3.4 VMware Horizon Workspace .................................................................................... 8

3.4.1 Pre-Configuration ............................................................................................ 8

3.4.2 Adding Authentication Method .......................................................................... 9

3.4.3 Adding Identity provider .................................................................................. 9

3.4.4 Apply Policy set to Web Application ................................................................. 10

4 Testing the Solution ................................................................................................ 13

4.1 Authentication using built-in Horizon Workspace Connector ...................................... 13

4.2 Authentication using IDENTIKEY Federation Server .................................................. 13

4.3 Changing Default Access Policy Set........................................................................ 14

4.3.1 Overview ..................................................................................................... 14

4.3.2 Solution Test ................................................................................................ 15



1 Overview

IDENTIKEY Federation Server

Ifs.vasco.be10.4.0.198

IDENTIKEY Authentication Server

10.4.0.13

RADIUS

VMware Horizon Workspaceworkspace.vmware.com

10.4.0.201

SAML v2.0

SSL



2 Technical Concepts 2.1 VMware

2.1.1 Horizon Workspace

Horizon Workspace provides an integrated workspace that delivers the right applications and data

on any device, which promotes employee productivity without compromising security or IT

control.

As an IT administrator, you can use the Web-based management platform to create customized

sets of applications and data access (workspaces) for end users, including setting security policies

and application entitlements. Using their desktops, mobile browsers, or mobile applications,

employees can gain access to work resources, including shared corporate documents and many

types of applications, customized based on their entitlements and devices.

VMware Horizon Workspace provides secure access to applications and data on any mobile device

or computer, enhancing the end user experience while reducing management costs. Horizon

Workspace provides an easy way for end users to access applications and files on any device,

while at the same time enabling IT to deliver, manage, and secure these assets centrally. Horizon

Workspace provides secure, single sign-on to applications, data, and virtual desktops from any

computer or mobile device, and meets the challenges of today’s changing Bring Your Own Device

(BYOD) and mobile environments.

Horizon Workspace benefits both end users and IT administrators. Horizon Workspace provides

end users with a single workspace for all applications and data, as well as seamless file sharing. It

enables IT administrators to manage users instead of devices and to offer advanced security and

protection of corporate data.

2.2 VASCO

2.2.1 IDENTIKEY Federation Server

IDENTIKEY Federation Server (IFS) is a virtual appliance providing you with the most powerful

identity and access management platform. It is used to validate user credentials across multiple

applications and disparate networks.

The solution validates users and creates an identity ticket, enabling online single sign-on for

different applications across organizational boundaries. As validated credentials can be reused,

once a user’s identity is confirmed access to authorized services and applications is granted.

Users can securely switch between the different applications and collaborate with colleagues,

business partners, suppliers, customers, and partners, using one single identity.

IDENTIKEY Federation Server functions as an identity provider within the local organization but it

can also delegate authentication requests (for unknown users) to other identity providers. In a

federated model, IDENTIKEY Federation Server does not only delegate authentication requests to

but also receives requests from other identity providers when local users want to access

applications from other organizations within the same federated infrastructure.

2.2.2 IDENTIKEY Authentication Server

IDENTIKEY Authentication Server (IAS) is an off-the-shelf centralized authentication server that

supports the deployment, use and administration of DIGIPASS strong user authentication. It



offers complete functionality and management features without the need for significant budgetary

or personnel investments.

IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems.

IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to

corporate networks and web-based applications.

The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY

Appliance is similar.



3 Configuration Details 3.1 Architecture

IDENTIKEY Federation Server

Ifs.vasco.be10.4.0.198

VMware Horizon Workspaceworkspace.vmware.com

10.4.0.201

SAML v2.0

3.2 Pre-requisites

A basic configured VMware Workspace Environment.

Information can be found here: http://www.vmware.com/files/pdf/techpaper/vmware-

horizon-workspace-reviewers-guide.pdf

Basic configured IDENTIKEY Federation Server

Metadata file of the VMware Horizon

o Log in to the Administrator Web interface.

o Select Settings > SAML Certificate.

o Click Service Provider (SP) metadata.

o Copy and save the appropriate information using the method that best suits your

organization.

3.3 IDENTIKEY Federation Server

3.3.1 Add application

1. Log into the management console

http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reviewers-guide.pdf

http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reviewers-guide.pdf



2. Navigate to Applications > Add Application

a. Application type: SAML v2.0 Application

b. Select an authentication profile

c. Set the distribution method to Upload metadata file

d. Upload the retrieved metadata file from the VMware Horizon Workspace

3. Click Save

3.3.2 Adapt metadata

1. Download the metadata from your IFS: https://<your-ifs>/ifs/profiles/saml2 (in this

example: https://ifs.vasco.com/ifs/profiles/saml2)

2. Adapt the NameIDFormat in the IDPSSODescriptor section: <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>


3. Remove the persistent and transient NameIDFormat and leave only the unspecified: <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>


4. Replace the SingleLogoutService location URL of the IDPSSODescriptor section to:

https://<your-ifs>/ifs/sso/user/logout

a. It will look like: <md:SingleLogoutService Location="https://<your-

ifs>/ifs/sso/user/logout"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

3.4 VMware Horizon Workspace

The below configuration points can found in depth in the VMware Horizon Workspace manual:

Workspace 2.0 Administrator Documentation Center

3.4.1 Pre-Configuration

Verify if the third-party instances are SAML 2.0 compliant and that Horizon Workspace can reach them.

https://ifs.vasco.com/ifs/profiles/saml2

http://pubs.vmware.com/workspace-portal-20/index.jsp



Determine how Horizon Workspace obtains the metadata from the third-party instance. Copy and save the

appropriate metadata information from the third-party instance that you can paste into the Horizon Workspace Administrator Web interface during configuration. The metadata information you obtain from the third-party instance is either the URL to the metadata or the actual metadata.

To enable Horizon Workspace to use authentication methods supported by the third-party identity provider, use the Administrator Web interface to configure the additional authentication methods.

Edit an authentication method by selecting the Default Method checkbox. This action allows Horizon Workspace to use that authentication method in case of an issue with the third-party authentication method.

3.4.2 Adding Authentication Method

1. Log in to the Workspace Admin Console.

2. Select Settings > Authentication Methods.

3. Add a new authentication method.

a. Type a name for this identity provider instance.

b. Select the appropriate SAML context from the drop-down menu: The list includes

SAML authentication contexts that are currently supported according to SAML 2.0

specifications.

c. Apply an authentication score based on your predetermined security levels for

authentication methods

Authentication Score: When you create access policies for either the default access policy

set or for Web-application-specific policy sets, you configure a minimum authentication

score. The policies require users to authenticate using an authentication method with the

specified authentication score or higher to access Horizon Workspace, in the case of a

default access policy, or a web application, in the case of a Web-application-specific

policy.

3.4.3 Adding Identity provider


2. Select Settings > Identity Providers.



3. Click Add Identity Provider. This option prompts you for information that enables

Workspace to register an existing third-party identity provider instance.

a. Select Manual for third-party identity provider instances.

b. Type a name for this identity provider instance.

c. Type a description for this identity provider instance.

d. Select the authentication methods for Workspace to apply when users who are

associated with this identity provider instance log in.

e. Copy the XML metadata from the identity provider instance and paste it in the

Meta data XML text box.

f. Select the network ranges of the users, based on their IP addresses, that you

want to direct to this identity provider instance for authentication.

g. Click Save

4. If necessary, change the order of the identity provider instances.

3.4.4 Apply Policy set to Web Application

An access policy set contains one or more access policies. Each access policy consists of settings

that you can configure to manage user access to the Horizon Workspace User Portal as a whole or

to specified web applications.

Each access policy links a network range to a minimum authentication score. A user logging in

from an IP address within the applied policy's specified network range is presented with an

authentication method that is equal to or higher than the minimum authentication score of the

policy. Each identity provider instance in your Horizon Workspace deployment also links network

ranges with authentication methods. When you configure an access policy, ensure that the

network range and authentication score pairing that you create are covered by an existing

identity provider instance.

More information on how to configure an access policy please refer to the documentation

provided by VMware.



To apply an access policy, you create the policy as a part of an access policy set. Each policy in

an access policy set can specify the following

1. Click the Catalog tab.

2. Click Any Application Type > Web Applications.

3. Click the Web application to which to apply a Web-application-specific access policy set.

4. The information page for the Web application appears with the Entitlements tab selected

by default.

5. Click Access Policies.

6. From the Access Policy Set drop-down menu, select the Web-application-specific access

policy set to apply to the application.

7. Click Save.

Web-Application-Specific Policy Set Example

P o l i c y N a m e N e t w o r k M i n i m u m

A u t h e n t i c a t i o n S c o r e

T T L ( h o u r s )

ExtraSensitive All Ranges Level 3 1

The preceding example policy set applies to the following use case.

Extra Strict Web-Application-Specific Access Policy Set Use Case

1. User logs in inside the enterprise network using the password authentication method,

which is level 1 according to the example.

2. Now, the user has access to the user portal for eight hours.

3. The user immediately tries to launch a web application with the Example 2 policy set

applied, which requires level 3 or above authentication

4. The user is redirected to an identity provider that provides level 3 or higher authentication

strength, such as a Connector instance requiring 2-factor authentication.

5. After the user successfully logs in, Horizon Workspace launches the application and saves

the authentication event.



6. The user can continue to launch this application for up to an hour but is asked to re-

authenticate after an hour unless the user initiated a level 3 or higher authentication event

within an hour of the launch, as dictated by the policy.



4 Testing the Solution 4.1 Authentication using built-in Horizon Workspace Connector

(in our environment)

Make sure the access policy for your test web applications is set to the default policy set

(unmodified, or create a new policy with minimal authentication level settings).

Log in as a user who is entitled to use the test web application.

And navigate to the web application (click the icon)

The user is directly logged in.

4.2 Authentication using IDENTIKEY Federation Server

(in our environment)

Make sure the access policy for your test web applications is set to the newly created

access policy set (make sure this access policy set is associated with IDENTIKEY

Federation Server login).



Log in as a user who is entitled to use the test web application.

Navigate to the web application (click the icon)

The user is now redirected to the IDENTIKEY Federation Server and is required to log in

using their username and OTP.

4.3 Changing Default Access Policy Set

4.3.1 Overview

Horizon Workspace includes a default access policy set that controls user access to Horizon

Workspace User Portal. You can edit the policy set by editing, deleting, or adding policies as

necessary.

Each policy in the default access policy set requires that a set of criteria is met in order

for Horizon Workspace to allow access to the user portal.



The following access policy set serves as an example of how you can configure the default access

policy set to control access to Horizon Workspace User Portal.

Example Default Access Policy Set:

P o l i c y N a m e N e t w o r k M i n i m u m A u t h e n t i c a t i o n S c o r e T T L ( h o u r s )

Internal Internal Range 1 8

External All Ranges 3 4

Policies are evaluated in the preceding order. You can drag a policy in a policy set up or down to

change the priority for evaluation.

The preceding example policy set applies to the following use case.

Default Access Policy, Browser Use Case:

Internal. To access Horizon Workspace from an internal (Internal Range) network, Horizon

Workspace presents users with the Active Directory password authentication method. To

ensure that Horizon Workspace attempts to authenticate users with Kerberos

authentication first, you make the authentication score of the Kerberos method higher

than the authentication score of the password method and you place Kerberos at the top

of the list on the Authentication Methods page. You also assign a network range for

internal users. The user logs in using a browser and now has access to the user portal for

an eight-hour session.

External. To access Horizon Workspace from an external (All Ranges) network, the user is

required to log in with 2-factor authentication, which for this example has an

authentication score of 3. The user logs in using a browser and now has access to the user

portal for a four-hour session.

When a user attempts to access a resource, except for a web application covered by a Web-

application-specific policy set, the default portal access policy set applies.

For example, the time-to-live (TTL) for such resources matches the TTL of the default portal

access policy set. If the TTL for a user who logs in to the user portal is 8 hours according to the

default portal access policy set, when the user attempts to launch a resource, the application

launches without requiring the user to re-authenticate.

4.3.2 Solution Test


2. Select Policies > Access Policy Sets.

3. Click Edit to edit the Default Access Policy Set to configure.

4. Click the policy name (all ranges policy, by default)

a. Change minimum authentication score to the value that was assigned to the

Authentication Method used for the IDENTIKEY Federation Server

1. Navigate to the Workspace user portal



2. You will be redirected the IDENTIKEY Federation Server for authentication

a. Log in using username and OTP

3. When authentication is successful you are redirected to the Workspace portal

DIGIPASS Authentication for VMware Horizon Workspace · DIGIPASS Authentication for VMware Horizon...

Documents

Transcript of DIGIPASS Authentication for VMware Horizon Workspace · DIGIPASS Authentication for VMware Horizon...